Building A Health Claims Database Raises Privacy Concerns
By next August the state of Connecticut wants to have the last three years of health claims data in a database that will help individuals make better decisions about their health care.
The database is supposed to give public health officials and consumers better information about how much a medical procedure will cost or how frequently certain medical services are accessed. The hope is it will give the state detailed information to help officials design various cost containment and quality improvement efforts.
In New Hampshire, which already has a database, it’s helped public health officials understand better the frequency at which Medicaid patients were using the emergency room as a doctor’s office. In some of the more rural parts of New Hampshire, the emergency room was the only place to see a doctor, Jo Porter, deputy director of the Institute for Health Policy and Practice, said Thursday at a Capitol forum on All-Payer Claims Databases.
Armed with that kind of data officials can try and change behavior or encourage doctors to set up offices in parts of the state where there’s a greater need and less access to care.
Connecticut’s legislature created its All-Payer Claims Database in 2012. Then in 2013 it handed over governance to Access Health CT, the quasi-public agency managing the state’s health insurance exchange.
But at the moment Access Health CT hasn’t adopted a set of guidelines or procedures for how the data will be protected and who will get to use it or buy it.
That’s an issue that will need to be addressed during the legislative session that starts in February, Tamim Ahmed, executive director of Connecticut’s All-Payer Claims Database, said.
In the meantime, the group is already getting information from the Medicaid and Medicare population in the state and expects to be getting information from the private insurance carriers in the next few months.
He said an individual’s claim data won’t necessarily be de-identified but it will be highly encrypted.
“A member’s ID will be scrambled in such a way almost like 128 [bit] encryption,” Ahmed said. “So nobody can go back and re-identify.”
Ahmed said that the state wouldn’t be working with “de-identified” data, but would provide “HIPAA-like” protections to the data it receives. HIPAA is the Health Insurance Portability and Accountability Act, which protects the privacy of individually identifiable health information.
“Real thought needs to be given to who gets the data and how will they use it,” David Newman, executive director of the Health Care Cost Institute, warned Thursday at the forum. “This goes beyond what any statute says because there are real public issues here.”
There are some unscrupulous people in any industry, including the health care industry.
Newman said he spends about 30 percent of his time licensing data to academics. He said his organization does not license the data it gets from insurance carriers to commercial entities for commercial purposes. But there are people out there looking to capitalize on this data, which can be used to pinpoint public health crises or lack of access to doctors by certain portions of a state.
“Many academics wear multiple hats, reputable academics. Every one of them has a limited liability corporation. They’re consultants and they’re eager to get a hold of the data,” Newman warned. “What starts as statistically de-identified dataset, needs to remain statistically de-identified.”
He said there is a temptation by every researcher to add components to the data and they’ll do it “behind your back or without your permission and they’ll turn statistically de-identified data into identified data.”
That’s Dr. Susan Israel’s biggest fear.
She said she’s extremely worried about the lack of protections for the datasets under the current legislation.
“We do not have a data use rule or data governance yet,” Ahmed told her. “We would try to emulate a HIPAA-like entity so that we could apply the rules.”
He said he believes that would be adequate protection, but Israel still disagreed.
“It’s not as simple as what you’re saying,” Israel said. “I think the public should be made fully aware.”
Some states are more restrictive than others when it comes to the data, Porter said. In Minnesota all the data was housed in one state agency and used for one purpose. Other states with less restrictive policies have governing boards that have to approve the release of data and the fields in the request for data.
Porter said she sat on one of the governing boards and had to determine whether certain researchers really needed access to certain fields of data to answer the question they were looking answer. That meant telling some researchers they didn’t need zip code, they only needed county to answer the question so that’s all they were going to get, she said.
There is no way for consumers to opt out of having their data shared in an All-Payer Claims Database like there is with the Health Information Technology Exchange where doctors and medical practices share their clinical information with the state.
Newman warned that the state should be thoughtful when making these decisions because it’s costly and time consuming to have to go back and start from the beginning.
“It’s easy to do it wrong and it’s tough to do it right, but it’s worth doing,” Newman said.